IV. REMARKS 

Claims 1-22 were presented for prosecution. Claims 1-4, 7-12, and 15-22 were rejected 
under 35 USC 102(a) as being anticipated by Gunter Ollmann's "Custom HTML Authentication 
- Best Practices on Securing Custom HTML Authentication Procedures," hereinafter "Ollmann." 
Claims 5, 6, 13 and 14 were rejected under 35 USC 103(a) as being unpatentable over Ollmann 
in view of "Securing against Denial of Service Attacks (W3C). Claims 4 and 12 were rejected 
under 35 USC 1 12, second paragraph, as being indefinite. Applicant respectfully traverses the 
above rejections for the following reasons. 

With regard to the rejection of claims 4 and 12, Applicant has herein amended the claims 
to better clarify the subject matter. In particular, claim 4 now reads "wherein a request is 
deemed improper if a message body associated with the request has a zero length." Although not 
explicitly recited in this manner originally, one skilled in the art would have inherently 
understood that a zero length request refers to, e.g., an HTTP message request in which a 
message body was expected, but not submitted. Regardless, Applicant submits that claims 4 and 
12 are not indefinite. 

With regard to the rejections under 102(a) and 103(a), Applicant submits that Ollmann 
and W3C fail to teach or suggest each and every feature recited in numerous claims. For 
example: 

Claim 2 recites: "wherein the system for responding stops issuing HTTP "OK" response 
codes and issues no response after a predetermined number of improper requests are detected." 
The Office Action alleges that this feature is taught on page 4, line 6, which actually recites 
"automatically lockout an account after a threshold has been reached (e.g., three authentication 
failures)." Applicant submits that this passage does not teach the claimed issuing "no response 
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after a predetermined number of improper requests." Instead, this passage teaches locking out an 
account, which is wholly distinct from the act of stopping the issuance of responses. Locking out 
an account is commonly understood to mean disallowing further access to an account, even if the 
user enters a correct name and password. 

Moreover, Ollmann explicitly recites continuing to issue an error message after the 
threshold is reached. "Thus, any further attempts to authenticate will result [in the] display of the 
same failure message." Ollmann, page 4, lines 9-10. In other words, Ollmann explicitly teaches 
that a response, i.e., the same failure message, should be issued even after a predetermined 
number of improper requests. Thus, Ollmann clearly does not anticipate claim 2. Claims 8, 10 
and 18 are allowable for the same reasons. 

Claim 4, as amended recites: "wherein a request is deemed improper if a message body 
associated with the request has a zero length." The Office Action alleges that this feature is 
taught on pages 4-5. No such teaching is made regarding zero length message bodies. 
Accordingly, Applicant submits that claim 4 (and similarly claim 12) is not anticipated. 

Claim 5 recites "wherein a request is deemed improper if an HTTP "post" or an HTTP 
"get" command is expected and neither an HTTP "post" nor an HTTP "get" command is 
received." The Office Action alleges that this feature is taught on page 10 of W3C. Applicant 
sees no reference or suggestion to post or get commands on page 10 of W3C. A similar 
argument applies for claims 6, 13 and 14. Accordingly, Applicant respectfully requests 
withdrawal of the rejections to these claims. 

Claim 8 further recites: "wherein the system for responding to improper requests includes 
a response protocol that utilizes a standard error handling procedure for a first improper request 
from a requesting resource, issues an HTTP OK response code for N subsequent improper 
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requests from the requesting resource, and then stops responding to the requesting resource 
altogether." No such teaching is made regarding a three step process as claimed. Applicant 
respectfully asks the Examiner to specifically point out where such a teaching is made, or 
withdraw the rejection. 

Independent claims 10 and 17 recite a similar three step process as that discussed above 
with respect to claim 8. Applicant respectfully asks the Examiner to specifically point out where 
such a teaching is made, or withdraw the rejection. 

With regard to claim 1, Applicant recites "a system for detecting improper requests; and a 
system for responding to improper requests." Conversely, Ollmann explicitly recites forcing 
"any error or unexpected request to generate a HTTP OK response." Nowhere does Ollmann 
disclose a system for detecting "improper" requests. Accordingly, Applicant submits that claim 
1 is not anticipated by Ollmann. 

Each of the claims not specifically addressed herein is believed allowable for the reasons 
stated above, as well as their own unique features. 
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Applicant respectfully submits that the application is in condition for allowance. If the 
Examiner believes that anything further is necessary to place the application in condition for 
allowance, the Examiner is requested to contact Applicant's undersigned representative at the 
telephone number listed below. 



Dated: 1/25/08 

Hoffman, Warnick & D'Alessandro LLC 

75 State Street 

Albany, NY 12207 

(518) 449-0044 - Telephone 

(518) 449-0047 - Facsimile 



Respectfully submitted, 




Michael F. Hoffman 
Reg. No. 40,019 
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